Say you dutifully got your organization in good compliance with the GDPR, and then did the same for CCPA, and perhaps even for the state laws that followed from Virginia, Nevada, Colorado, Connecticut, and Utah. Great.
But none of that prepared you for the new demands of the CCPA replacement: CPRA. The new law calls for executing new contracts with all your counterparties, requiring they comply with the CPRA as well as grant you the rights and power to ensure that they complied. CPRA 1798.100 (d).
The requirement to enter a new contract is extensive, and the obligation applies to each new type of counterparty: service providers, contractors, and third parties. The new CPRA also requires that businesses enter a contract with any counterparties that use personal information regardless of whether the information is given by the business itself or obtained on behalf of the business.
When these GDPR-like requirements take effect, businesses are likely to be surprised by the consequences of failing to perform vendor due diligence or risk assessments. Right now, these requirements take effect in California on January 1, 2023, and several other state laws have similar new provisions.
California’s proposed regulations give this requirement extra bite by explicitly stating that “whether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CPRA and these regulations,” via Section 7051(e).
In other words, it is not enough to simply have the required contract in place. If you do not use your obligatory contractual audit rights to audit your vendors, and there is a violation, you can be imputed with knowledge of their violations and held liable along with the third-party.
The second major change is …
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
